Data Processing Agreement

Version 1.2 – 10 February 2025

1. Introduction

This Data Processing Agreement (“Agreement”) is a legally binding document that forms an integral part of and supplements the existing agreement between Catcher24 B.V. (“Catcher24”) and the Client. This Agreement pertains to the provision of services whereby Catcher24 processes personal data on behalf of the Client (“Services”).

2. Definitions

The terms used in this Agreement shall have the same meaning as defined in the General Data Protection Regulation (GDPR) and the existing agreement. In case of any discrepancies, this Agreement shall prevail unless mandatory legal provisions dictate otherwise.


3. Subject of Processing

Catcher24 processes personal data solely on behalf of the Client, the organization utilizing the services, and in accordance with the purposes set out in this Agreement and Annex 1. Catcher24 qualifies as a data processor, whereas the Client qualifies as the data controller.

  • The nature, purposes, duration, and categories of processing are detailed in Annex 1.

  • Processing shall only take place based on the (written and/or digital) agreement with the Client unless a legal obligation dictates otherwise. In such a case, Catcher24 shall inform the Client in advance, unless prohibited by law.

  • The (personal) data provided by the Data Controller (Client) to Catcher24 must:

    • (a) Be lawfully obtained and lawfully shared with Catcher24;

    • (b) Be accurate and up to date;

    • (c) Have been sufficiently communicated to end users regarding processing activities.


4. Obligations of Catcher24

  • Security Measures: Catcher24 shall implement appropriate technical and organizational security measures to protect personal data against loss, destruction, alteration, or unauthorized access (see also Annex 2).

  • Data Breaches: Catcher24 shall report any data breach without undue delay (but no later than within 72 hours) to the Client and fully cooperate in handling the incident and any required notifications to supervisory authorities and data subjects.

  • Data Subject Rights: Catcher24 shall facilitate and support the Client in responding to data subject requests concerning access, rectification, deletion, or portability of their data.

  • Sub-processors: Catcher24 shall notify the Client of any new sub-processor as soon as possible. The Client has the right to object within a reasonable timeframe. Catcher24 guarantees that all sub-processors are bound by the same obligations as set out in this Agreement.

  • Processing Only Under Instruction: Catcher24 shall process personal data exclusively for the purposes described in the agreement with the Client.

  • Confidentiality: Catcher24 shall ensure that employees and third parties with access to personal data are bound by a confidentiality obligation.

  • Audits: Catcher24 shall enable the Client to conduct (or have conducted) audits to verify compliance with this Agreement.

5. Use of Sub-processors

The Client grants Catcher24 permission to engage the sub-processors listed in Annex 1.
If Catcher24 intends to engage a new sub-processor or replace an existing one, it shall inform the Client as soon as possible through regular (digital) communication. The Client has the right to object within a reasonable timeframe.
Catcher24 guarantees that all sub-processors shall be bound by the same obligations as outlined in this Agreement, particularly regarding data protection and security.
If the Client objects and no resolution is reached, the Client has the right to terminate the Agreement for the part of the Services that involve the relevant sub-processor.

6. Termination and Data Deletion

Upon termination of the Services or at the Client’s request, Catcher24 shall securely delete all personal data, unless a legal obligation requires otherwise.
The obligations in this Agreement shall remain in effect after termination to the extent necessary to ensure GDPR compliance.

7. Governing Law and Dispute Resolution
This Agreement shall be governed by Dutch law.
Disputes shall be settled by the competent court in Amsterdam.


Annex 1: Description of Processing
Catcher24 processes personal data solely to deliver the Services to the Client and for no other purpose.

  • Types of Personal Data Processed: Name, email address, language, IP address, location data, and banking details.

  • Retention Period: Data shall be retained as long as the Client requires under the agreement and shall only be deleted upon written request by the Client.

  • Categories of Data Subjects: Employees of Catcher24 and its affiliated group companies, as well as third parties authorized by the Client.

Service

Sub-processor

Description

Country

Network

PeakFactory

Secure network connections

NL

Hosting

Triplinq

Virtual server infrastructure

NL

Endpoint Security

Triplinq

Endpoint security services

NL

Phishing Services

Phished

Phishing simulation and training

BE

Payment Processing

Stripe

Invoicing and payment

IE

Annex 2: Security Measures
Catcher24 has implemented the following security measures:

  • Encryption: SSL encryption on all interfaces and connections.

  • Access Control: Password policies, MFA, and user authorization models.

  • Network Security: Firewall rules and intrusion detection.

  • Backup: Onsite and offsite backups.

  • Incident Management: Log registration and security incident reporting procedures.

  • Physical Security: Data center compliance with ISO 27001 and SOC 2 Type II.

If you contact us to exercise any of your rights, please specify the right you wish to exercise as clearly as possible.
For questions regarding this Agreement: legal@Catcher24.nl
For incident reports: abuse@Catcher24.nl